privacy and anonymity using anonymizing network s –ii cs 436/636/736 spring 2012 nitesh saxena
DESCRIPTION
Privacy and Anonymity Using Anonymizing Network s –II CS 436/636/736 Spring 2012 Nitesh Saxena. Some slides borrowed from Philippe Golle, Markus Jacobson. Course Admin. Mid-term exams returned HW3 to be posted very soon. Today’s Outline. Re-encryption based mix networks Secret sharing - PowerPoint PPT PresentationTRANSCRIPT
Privacy and Anonymity Using Anonymizing Networks –II
CS 436/636/736 Spring 2012
Nitesh Saxena
Some slides borrowed from Philippe Golle, Markus Jacobson
Course Admin
•Mid-term exams returned•HW3 to be posted very soon
Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks
Today’s Outline
• Re-encryption based mix networks– Secret sharing– Research flavor
Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks
Principle Chaum ’81
Message 1
Message 2
server 1 server 2 server 3
PrivacyEfficiencyTrustRobustness
Requirements :
But what about robustness?
encr(Berry)encr(Kush)
encr(Kush)
Kush
Kush
Kush
STOP
I ignore his
outputand
produce my own
There is no robustness!
Zoology of Mix Networks
• Decryption Mix Nets [Cha81,…]:– Inputs: ciphertexts– Outputs: decryption of the inputs.
• Re-encryption Mix Nets[PIK93,…]:– Inputs: ciphertexts– Outputs: re-encryption of the inputs
Inputs Outputs?
Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks
First SolutionChaum ’81, implemented by Syverson, Goldschlag
Not robust (or: tolerates cheaters for correctness)
Requires every server to participate (and in the “right” order!)
Re-encryption Mixnet0. Setup: mix servers generate a shared key
1. Users encrypt their inputs: Input Input Pub-key
3. A quorum of mix servers decrypts the outputs
Output OutputPriv-key
Server 1 Server 2 Server 3
re-encrypt
& mix
re-encrypt
& mix
re-encrypt
& mix
2. Encrypted inputs are mixed:
Proof ProofProof
Recall: Discrete Logarithm Assumption
• p, q primes such that q|p-1• g is an element of order q and generates a
group Gq of order q• x in Zq, y = gx mod p• Given (p, q, g, y), it is computationally hard to
compute x– No polynomial time algorithm known– p should be 1024-bits and q be 160-bits
• x becomes the private key and y becomes the public key
Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks
ElGamal Encryption
• Encryption (of m in Gq):– Choose random r in Zq– k = gr mod p– c = myr mod p– Output (k,c)
• Decryption of (k,c)– M = ck-x mod p
• Secure under discrete logarithm assumption
Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks
ElGamal Example: dummy• Let’s construct an example• KeyGen:
– p = 11, q = 2 or 5; let’s say q = 5– 2 is a generator of Z11*– g = 22 = 4– x = 2; y = 42 mod 11 = 5
• Enc(3):– r = 4 k = 44 mod 11 = 3– c = 3*54 mod 11 = 5
• Dec(3,5):– m = 5*3-2 mod 11 = 3
Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks
(t+1,n)- Secret Sharing Motivation: to secure the cryptosystem against t (< n/2) corruptions Split the secret among n entities so that
any set of t+1 or more entities can recover the secret an adversary who corrupts at most t entities, learns nothing about the secret
Tool: Shamir’s Polynomial Secret Sharing
f(z) degree t polynomial (mod q) f(0) x
f(i) ssi
INSECURE SECURE
Gi
ii qlssx )(mod
Polynomial interpolation:
for any G, s.t. |G|=t+1
(n=7, t=3)
Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks
Re-encryption techniqueInput: a ciphertext (k,c) wrt public key y
1. Pick a number r’ randomly from [0…q-1]
2. Compute k’ = kgr’ mod p c’ = cyr’ mod p
3. Output (k’, c’)
Same decryption technique!
Compute m k’c’-x
Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks
A simple Mix
(k1, c1)
(k2, c2).
.
.(kn, cn)
RE-ENCRYPT
RE-ENCRYPT
(k’1,c’1)
(k’2,c’2).
.
.(k’n,c’n)
(k’’1,c’’1)
(k’’2,c’’2).
.
.(k’’n,c’’n)
Note: different cipher text, different re-encryption exponents!
And to get privacy… permute, too!
(k1, c1)
(k2, c2).
.
.(kn, cn)
(k’’1,c’’1)
(k’’2,c’’2).
.
.(k’’n,c’’n)
Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks
And, finally…the Proof
• Mix servers must prove correct re-encryption– Given n El Gamal ciphertexts E(mi) as input– and n El Gamal ciphertexts E(m’i) as output
– Compute: E( mi) and E(=m’i) – Ask Mix for Zero-Knowledge proof that these ciphertexts
decrypt to same plaintexts
Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks
Anonymizing Network in practice: Tor
• A low-latency anonymizing networkhttp://www.torproject.org/
• Currently 1000 or so routers distributed all over in the internet
• Can run any SOCKS application on top of Tor• Peer-based: a client can choose to be a router• A request is routed to/fro a series of a circuit of three
routers• A new circuit is chosen every 10 minutes• No real-world implementation of re-encryption mix as yet
Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks